A Policy Enforcement Point (PEP) is a critical component within the Attribute-Based Access Control (ABAC) architecture, ensuring the protection of enterprise data by enforcing access control. ABAC, also known as policy-based access control for Identity and Access Management (IAM), determines a subject’s authorization to perform specific operations by evaluating attributes associated with the subject, object, requested operations, and environmental factors.
ABAC Architecture Overview
ABAC comprises several key components:
Policy Enforcement Point (PEP): PEPs are responsible for protecting applications and data. They inspect requests and generate authorization requests, which are then sent to the Policy Decision Point (PDP).
Policy Decision Point (PDP): PDPs evaluate incoming requests against configured policies, returning a Permit/Deny decision. They may also use Policy Information Points (PIPs) to retrieve missing metadata.
Policy Information Point (PIP): PIPs connect the PDP to external attribute sources, such as LDAP or databases.
Policy Administration Point (PAP): PAPs manage policies, providing a centralized repository for policy administration.
How Does a Policy Enforcement Point Work?
In the ABAC architecture, a PEP functions by intercepting a user’s request to access a resource. It forms an authorization request based on the user’s attributes, the resource in question, the intended action, and other relevant details. This request is then sent to the PDP, which evaluates it against existing policies and decides whether access should be granted. The decision is communicated back to the PEP, which either allows or denies access based on the PDP’s evaluation.
Importance of Policy Enforcement Points
PEPs play a crucial role in maintaining security within an application by ensuring access control is enforced consistently and independently at multiple points. They work closely with PDPs to interpret policies and control access, without requiring complex authorization logic. This decentralized approach is particularly effective in SaaS applications, APIs, microservices, or any part of the application requiring stringent access control.
PEP Implementation
Implementing a PEP involves determining where access control enforcement should occur within an application. It is recommended to integrate PEPs at API endpoints to serve as logical checkpoints between different application functions. In monolithic applications, PEPs may be embedded within the application’s logic.
The PEP requests an authorization decision from the PDP, typically by sending a request to a RESTful API exposed by the PDP. The PDP returns the decision in JSON format, which the PEP then evaluates to determine whether access should be granted. For more complex scenarios, PEPs may need to interpret more detailed JSON responses. Packaging PEP code as a reusable library or artifact in the preferred programming language can streamline integration across the application.
Conclusion
Policy Enforcement Points (PEPs) are essential for robust access control in modern applications. They ensure that access policies are enforced consistently, adapt to changing security requirements, and provide logging and monitoring capabilities for compliance and post-incident analysis. By effectively implementing PEPs, organizations can enhance their security posture, reduce the risk of unauthorized access, and ensure compliance with security policies.
Microsoft researchers identified a critical vulnerability in ESXi hypervisors that ransomware operators could exploit to gain full administrative permission over the domain-joined hypervisor. ESXi is an advanced bare-metal hypervisor that allows for direct control over the underlying resources. It’s a host for virtual machines, often quite important ones within a network. In case of a ransomware attack, this grants full administrative access to an ESXi hypervisor, where threat actors could encrypt the file system, thus affecting the functionality of the hosted servers. Moreover, threat actors gain access to all hosted VMs, allowing data exfiltration or lateral movement within the network.
The vulnerability, identified as CVE-2024-37085, was created by a default domain group in ESXi hypervisors that gives full administrative access without proper validation. Microsoft has now disclosed this finding to VMware through Coordinated Vulnerability Disclosure via Microsoft Security Vulnerability Research. This led to VMware releasing a security update. Microsoft recommends that ESXi server administrators apply these updates and follow the mitigation and protection guidelines therein.
Vulnerability Analysis and Exploitation Techniques
Microsoft security researchers observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest exploiting this vulnerability. In many cases, these attacks led to deployments of Akira and Black Basta ransomware. The exploitation technique involves running commands to create a group named “ESX Admins” in the domain and adding a user to it:
net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add
This method leverages the vulnerability in domain-joined ESXi hypervisors, allowing attackers to elevate privileges to full administrative access. The vulnerability arises because ESXi hypervisors consider any member of a group named “ESX Admins” to have full administrative access by default, even if the group did not originally exist. This group is not a built-in group in Active Directory and does not exist by default, and the membership is determined by name rather than security identifier (SID).
Researchers identified three exploitation methods:
Creating the “ESX Admins” Group: This method, actively exploited in the wild, involves creating the “ESX Admins” group and adding a user to it. Any domain user with the ability to create a group can escalate privileges by creating such a group and adding themselves or other users to it.
Renaming a Group: This method involves renaming any group in the domain to “ESX Admins” and adding a user or using an existing member to escalate privileges. This method has not been observed in the wild by Microsoft.
Privileges Refresh: Even if the network administrator assigns another group to manage the ESXi hypervisor, the full administrative privileges of the “ESX Admins” group are not immediately removed, allowing threat actors to abuse it. This method also has not been observed in the wild by Microsoft.
Ransomware Operators Targeting ESXi Hypervisors
Over the past year, ransomware actors have increasingly targeted ESXi hypervisors. ESXi hypervisors are popular in corporate networks and are often targeted due to the limited visibility and protection offered by many security products. Encrypting an ESXi hypervisor file system enables one-click mass encryption, impacting hosted VMs and allowing threat actors more time and complexity for lateral movement and credential theft.
Microsoft has observed various ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, supporting or selling ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper. The number of Microsoft Incident Response engagements involving ESXi hypervisor attacks has more than doubled in the last three years.
Black Basta Ransomware Deployment by Storm-0506
This critical hypervisor vulnerability has been exploited in the wild, and to great effect. Earlier this year, an engineering firm in North America was hit by a Black Basta ransomware deployment by Storm-0506. The attack exploited the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors. The threat actor initially accessed the organization via a Qakbot infection, followed by exploiting a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges on affected devices. They used Cobalt Strike and Pypykatz to steal domain administrator credentials and move laterally to domain controllers.
On the compromised domain controllers, the attacker installed persistence mechanisms using custom tools and a SystemBC implant. They attempted to brute force RDP connections and installed Cobalt Strike and SystemBC on multiple devices. The attacker then created the “ESX Admins” group, added a new user, and used this access to encrypt the ESXi file system, affecting the hosted VMs. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint stopped encryption attempts on devices with the unified agent installed.
Mitigation and Protection Guidance
Microsoft advises organizations using domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. Additional recommendations include:
Install Software Updates: Ensure the latest security updates from VMware are installed on all domain-joined ESXi hypervisors. If updates cannot be installed immediately, validate the “ESX Admins” group exists in the domain and is hardened. Manually deny access to this group in the ESXi hypervisor settings, change the admin group, and add custom detections in XDR/SIEM for new group names.
Credential Hygiene: Protect highly privileged accounts by enforcing multifactor authentication (MFA), enabling passwordless authentication methods, and isolating privileged accounts from productivity accounts.
Improve Critical Assets Posture: Identify and protect critical assets such as ESXi hypervisors and vCenters with the latest security updates, proper monitoring procedures, and backup and recovery plans.
Identify Vulnerable Assets: Deploy authenticated scans of network devices using SNMP via the Microsoft Defender portal to identify vulnerabilities in network devices like ESXi.
Detection and Threat Intelligence
Microsoft Defender for Endpoint and Microsoft Defender for Identity provide alerts that can indicate associated threat activity, such as suspicious modifications to the “ESX Admins” group, suspicious Windows account manipulation, and compromised accounts conducting hands-on-keyboard attacks. Microsoft customers can use reports in Microsoft Defender Threat Intelligence to get up-to-date information about threat actors and techniques. Hunting queries are available for Microsoft Defender XDR and Microsoft Sentinel to detect related activities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Switzerland has recently enacted the “Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks” (EMBAG), a landmark legislation that mandates the use of open-source software (OSS) in the public sector. This law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This initiative, driven by the “public money, public code” principle, aims to enhance transparency, security, and efficiency in government operations.
Background
The journey towards EMBAG began in 2011 with the Swiss Federal Supreme Court’s release of Open Justitia, a court application published under an OSS license. This move faced opposition from proprietary software vendors and sparked a decade-long political and legal battle. Finally, in 2023, EMBAG was passed, marking a significant shift towards open-source adoption in Switzerland.
Key Provisions of EMBAG
The EMBAG law mandates several key actions:
Open Source Requirement: Public bodies must disclose the source code of developed software unless restricted by third-party rights or security concerns.
Open Government Data: Non-personal and non-security-sensitive government data must be released as Open Government Data (OGD).
The Thought Process Behind Switzerland’s Decision
Professor Dr. Matthias Stürmer, a leading advocate for the law, emphasized its potential benefits for the government, the IT industry, and society. Open-source software reduces vendor lock-in, encourages digital business expansion, and potentially lowers IT costs while improving services for taxpayers. Implementing EMBAG aims to promote digital sovereignty and encourage innovation and collaboration within the public sector. The Swiss Federal Statistical Office (BFS) is leading the law’s implementation, although organizational and financial aspects of OSS releases still need to be clarified.
Comparison with the US
Despite the clear advantages seen in Switzerland, the United States has been more reluctant to fully embrace open-source software. The US government’s approach to OSS is characterized by cautious and incremental adoption rather than sweeping mandates. The US Federal Source Code Policy requires federal agencies to release at least 20% of new custom-developed code as OSS but does not mandate its use across all government software. Similarly, the General Services Administration (GSA) promotes an “open first” approach but stops short of a full commitment to open-source software.
One major reason for the US’s hesitant stance is security. The US government prioritizes secure software development and the protection of the open-source ecosystem. The Biden-Harris Administration’s National Cybersecurity Strategy (NCS) emphasizes the need for secure software, including investments in memory-safe languages and secure software development techniques. Efforts to enhance OSS security are ongoing, with initiatives led by agencies like CISA.
OSS and The CrowdStrike Incident
The reluctance to adopt open-source software in the US was highlighted by the CrowdStrike incident, where a significant security breach exposed sensitive information. If CrowdStrike’s software had been open source, the security community could have identified and patched vulnerabilities much more quickly. Due to CrowdStrike’s closed-source functionality, IT teams struggled around the world with solving the mass BSODs within the incident much more than needed. Open-source software allows for more eyes on the code, increasing the likelihood of identifying security flaws before they can be exploited.
Advantages of Open Source as a Whole
Open-source software offers numerous advantages over closed-source alternatives. It promotes transparency, allowing users to inspect the code and understand how their data is being handled. This transparency can build trust and ensure that software behaves as expected without hidden functionalities. Open-source software also fosters innovation by allowing developers to build upon existing code, accelerating the development of new features and technologies. Moreover, it can lead to cost savings by reducing the need for expensive proprietary licenses and allowing for community-driven support and development. As Switzerland has demonstrated, embracing open-source software can lead to more secure, efficient, and transparent government operations, providing a model for other countries to follow.
Conclusion
Switzerland’s decisive move towards open-source software sets a compelling example of transparency, security, and efficiency in government operations. While the US recognizes the importance of OSS, its approach remains cautious, prioritizing security and coordinated strategies over broad mandates. As global digital infrastructure continues to evolve, the US may need to reassess its stance on open-source adoption to fully leverage the benefits seen in European counterparts. By understanding these dynamics, security professionals and policymakers can better advocate for more secure and transparent digital governance.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
State-Sponsored Chinese Hackers Target Japanese Organizations with LODEINFO Malware
How can Netizen help?
DDoS Attack Triggers Microsoft Global Outage
On July 30, 2024, a Distributed Denial-of-Service (DDoS) attack caused a global outage of Microsoft services. The tech giant revealed that an error in its DDoS protection measures worsened the situation instead of mitigating it.
The outage lasted for about 10 hours, from 11:45 UTC to 19:43 UTC, affecting various Microsoft platforms, including Outlook, Azure, and Minecraft. Microsoft cloud services like Intune and Entra were also impacted. Multiple organizations, such as banks, courts, and utility services, reported issues.
Microsoft described an “unexpected usage spike” that led to Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds, causing errors, timeouts, and latency spikes. Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, noted that although the outage was short and affected only a subset of services, its impact was significant for many users.
In response, Microsoft made networking configuration changes to support its DDoS protection efforts and performed failovers to alternate networking paths. These actions mitigated most of the issues by 14:10 UTC, with normal service levels resuming globally by 19:43 UTC. The incident was declared mitigated at 20:48 UTC.
Microsoft apologized to customers via its X account and promised to publish a Preliminary Post Incident Review (PIR) within 72 hours to provide more details on the event and its response.
The outage’s ripple effects were felt across various sectors. Cambridge Water, the HM Courts and Tribunals Service, and NatWest were among the organizations impacted. Customers around the world experienced difficulties accessing websites and services dependent on Microsoft’s platforms. Microsoft’s quick response and implementation of a fix showed improvement, and the situation was monitored to ensure full recovery.
The outage coincided with Microsoft’s financial update, where the company reported weaker-than-expected growth in its April-June period, causing shares to drop by 2.7% in after-hours trading. Despite these challenges, revenue in the “intelligent cloud” unit rose 21% year-on-year, contributing to an overall revenue increase of 15% to $64.7 billion, with profit rising 11% to $22 billion.
State-Sponsored Chinese Hackers Target Japanese Organizations with LODEINFO Malware
A Chinese state-sponsored hacking group known as Stone Panda (APT10) has been exploiting antivirus software to deploy a new version of the LODEINFO malware against high-value targets in Japan. These targets include media groups, diplomatic agencies, government organizations, public sector entities, and think tanks.
The LODEINFO backdoor malware includes several advanced capabilities. It can download and upload files to and from Command and Control (C2) servers, inject shellcode into memory, kill processes using process IDs, change directories, send malware and system information, take screenshots, encrypt files using an AES key, and execute commands via Windows Management Instrumentation (WMI). Additionally, it has configuration capabilities, although the implementation is incomplete.
First discovered in 2019, LODEINFO has been continuously updated and improved to enhance its sophistication as a cyber-espionage tool. The malware and its infection methods have evolved to evade security products and complicate analysis by security researchers. Recent versions, such as v0.6.6 and v0.6.7, include support for Intel 64-bit architecture, reflecting the attackers’ focus on expanding their target environments.
Improvements in LODEINFO include the implementation of the Vigenere cipher, a complex infection flow with fileless malware, partial XOR encryption, C2 communication packets with unique data structures and variable lengths, and the use of password-protected documents. These updates indicate a concentrated effort by APT10 to make detection, analysis, and investigation more challenging.
The updated TTPs and enhancements in LODEINFO highlight the persistent threat posed by APT10 and their focus on sophisticated cyber-espionage operations. The attackers’ ability to continuously improve their malware to evade detection underscores the need for robust cybersecurity measures.
Maintaining a secure infrastructure with the latest antivirus software tools and constant vigilance is critical to defending against sophisticated malware like LODEINFO. Organizations are advised to stay updated on the latest threat intelligence and ensure their security measures are robust and up-to-date.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Meta Faces EU Scrutiny Over “Pay or Consent” Model
Federal Recovery Underway After CrowdStrike Outage; Congress Demands Accountability
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Amazon. The message tells us that our membership has expired, and that our monthly payment has failed, so we have to take action in order to update our payment details. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to click on this link:
The first warning sign for this email is the formatting. Immediately, it’s apparent that different text boxes in the email have different alignments and different sizes, as well as strange spacing. The “confirm” button is a great example of this strange lettering: the text varies between sizes, switches between all-capital and regular format, and just overall looks unprofessional. It’s important to be wary of small inconsistencies such as this as they can be key indicators that the sender of the email may not be who they seem.
The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “Available ONLY TODAY” and “Your membership has expired!” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through email.
The final warning sign for this email is the fact that it informs us that we’re going to insert our credit card details for the validation of our account once we click the link. The email informs us that they “will not” withdraw any amount, which is very curious for a number of reasons. Firstly, it contradicts their earlier statement that they need to charge us for renewing the prime membership, and additionally a Fortune 500 company should have to need to insist upon their customers that they “won’t” withdraw any money from their credit cards. All of these factors point to the above being a phishing email, and a very unsophisticated one at that.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Meta Faces EU Scrutiny Over “Pay or Consent” Model
Meta, the parent company of Facebook and Instagram, is under scrutiny from the European Commission over its advertising model dubbed “pay or consent.” This model gives users a choice between paying for an ad-free experience or consenting to their personal data being used for targeted advertising.
The European Commission, through its Consumer Protection Cooperation Network, has raised concerns that this approach may violate consumer protection laws. Authorities argue that users might feel pressured into making a quick decision under the impression that refusing consent could result in losing access to their accounts or network connections.
Under the EU Digital Markets Act (DMA), companies designated as gatekeepers must obtain users’ explicit consent before utilizing their data for targeted ads. The Commission alleges that Meta’s model does not adequately inform users of their options and misleads them with unclear terms, including describing services as “free” despite the requirement for data consent.
Meta defends its model, citing a previous ruling from the Court of Justice of the European Union that allows companies to offer a paid, ad-free alternative. However, critics argue that Meta’s implementation lacks transparency and fails to provide a genuine choice to users.
This regulatory challenge adds to Meta’s ongoing global scrutiny over data privacy practices. Recently, the company faced fines in Nigeria for data sharing violations and penalties in Turkey over data practices across its platforms.
As the deadline approaches for Meta to address the EU concerns by September 1, 2024, the outcome will likely shape future regulatory standards for tech giants operating within the European Union.
Federal Recovery Underway After CrowdStrike Outage; Congress Demands Accountability
The U.S. federal government and various sectors are recuperating from a significant outage caused by a flawed update to CrowdStrike’s Falcon security software, impacting Microsoft Windows systems globally. The incident led to disruptions in essential services including federal agencies, airlines, banks, and hospitals.
Social Security Administration (SSA) offices, which closed on Friday due to the outage, resumed public services on July 22nd. The Federal Communications Commission (FCC) reported disruptions to 911 services in some states.
CrowdStrike and Microsoft are actively addressing the issue. Microsoft estimates that 8.5 million Windows devices were affected and has provided remediation solutions. CrowdStrike is testing new methods to expedite system recovery and has promised updates through their Tech Alerts.
In response to the outage, lawmakers are demanding transparency and preventive measures from both CrowdStrike and federal agencies. Rep. Ritchie Torres (D-N.Y.) called for a Department of Homeland Security investigation into the incident, emphasizing the critical impact on national infrastructure.
The House Committee on Homeland Security and Sen. Eric Schmitt (R-Mo.) have also voiced concerns over national security implications and the need for robust cybersecurity measures.
As recovery efforts continue, stakeholders await comprehensive explanations and assurances to prevent future disruptions of such magnitude.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from July that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-38080
CVE-2024-38080 describes a high-severity elevation of privilege vulnerability found in Microsoft’s Windows Hyper-V. This vulnerability arises from an issue in the system that could potentially allow a malicious actor with local access to a virtual machine to execute arbitrary code on the host machine with elevated privileges. This type of vulnerability is particularly concerning in environments where multiple users share virtualized resources, as it could allow an attacker to gain unauthorized control over the host system, impacting the confidentiality, integrity, and availability of all virtual machines on the host. The vulnerability has been given a CVSS v3 base score of 7.8, with a vector of CVSS:3.1/AV/AC/PR/UI/S/C/I/A, indicating it has high impacts on confidentiality, integrity, and availability, requires low privileges and low attack complexity, and does not require user interaction. This score suggests that the vulnerability is severe and could have widespread implications if exploited. Given the potential implications of this vulnerability, it is listed in CISA’s Known Exploited Vulnerabilities Catalog, which mandates that affected organizations apply the necessary mitigations or updates provided by Microsoft before the specified due date to prevent possible exploits. The patches to address this vulnerability were included in Microsoft’s July 2024 Patch Tuesday release, which addressed multiple vulnerabilities across various products. Organizations using affected versions of Windows 11 and Windows Server 2022 are advised to review the specific versions and configurations listed as vulnerable and ensure that they apply the updates provided by Microsoft promptly. Regularly updating systems and following vendor guidelines for security are critical measures to protect against known vulnerabilities and potential attacks. For detailed instructions and further guidance, users should refer to the official Microsoft Security Response Center (MSRC) advisory.
CVE-2024-38094
CVE-2024-38094 is a remote code execution vulnerability in Microsoft SharePoint, caused by the deserialization of untrusted data, identified under CWE-502. This vulnerability, released on July 9, 2024, primarily affects Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft classifies the severity of this issue as important, with a CVSS v3 base score of 7.2 and a vector of AV/AC/PR/UI/S/C/I/A, indicating that the vulnerability is network exploitable, has low attack complexity, requires high privileges, and involves no user interaction, leading to high impacts on confidentiality, integrity, and availability. The CVSS v2 score is 8.3, with a vector of AV/AC/Au/C/I/A, showing its critical impact through network access, low complexity, and medium level of required authentication. Security updates to address this vulnerability have been released, with specific patches for each affected SharePoint version: Version 16.0.17328.20424 for the SharePoint Server Subscription Edition, Version 16.0.10412.20001 for SharePoint Server 2019, and Version 16.0.5456.1000 for SharePoint Enterprise Server 2016. Given the severity and potential impact of this vulnerability, organizations are urged to apply these updates immediately to protect their systems from possible exploitation. The likelihood of exploitation is considered more likely, emphasizing the necessity for timely patch management and ongoing vigilance in system monitoring. For more information, refer to the official MSRC advisory.
CVE-2024-23692
CVE-2024-23692 marks a critical security breach concerning the Rejetto HTTP File Server (HFS), specifically targeting versions up to and including 2.3m. This vulnerability stems from a template injection flaw, enabling remote, unauthenticated attackers to execute arbitrary commands on the compromised system. Attackers exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable server. This issue has garnered significant attention due to its inclusion in the CISA Known Exploited Vulnerabilities Catalog, affirming its active exploitation in the wild. The severity of this vulnerability is underscored by its CVSS v3 base score of 9.8, delineated by the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates that the vulnerability can be exploited remotely with minimal complexity and without any user interaction. This poses high risks to the confidentiality, integrity, and availability of affected systems. The CVSS v2 scoring also highlights its critical impact with a score of 10 and a vector of AV:N/AC:L/Au:N/C:C/I:C/A:C, reflecting the comprehensive and severe impact across all three CIA (Confidentiality, Integrity, Availability) metrics. Given that Rejetto HFS 2.3m is no longer supported and therefore not receiving security updates, users are strongly advised to upgrade to the patched version, Rejetto HFS 3. This new version addresses the current vulnerability alongside other potential security issues that could compromise system security. For those using the affected versions, the update to Rejetto HFS 3 is crucial to mitigate the risk posed by CVE-2024-23692 and to protect against potential exploits that could leverage this vulnerability to gain unauthorized access or control over the systems. Immediate action is recommended to prevent any exploitation attempts that could lead to data breaches or further network compromise. For more information, refer to the NIST documentation here.
CVE-2024-38086
CVE-2024-38086 pertains to a remote code execution vulnerability in the Azure Kinect SDK, identified by Microsoft and released on July 9, 2024. The vulnerability stems from a numeric truncation error (CWE-197) that could potentially allow attackers to execute arbitrary code remotely. However, the maximum severity of this issue is classified as Important rather than Critical. According to the CVSS v3.1 scoring, this vulnerability has a base score of 6.4, with a vector of CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This scoring reflects the impact on confidentiality, integrity, and availability as high, with the attack vector requiring physical access (AV:P) to the target system. The attack complexity is high (AC:H), meaning that exploitation demands specific environmental information and preparation. No privileges or user interaction are required for an attacker to exploit the vulnerability. The CVSS v2 score for this vulnerability is 6.2, represented by the vector CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C, indicating a medium severity level. This assessment underscores the high impact on the system but acknowledges the need for physical access to carry out the exploit. Microsoft has confirmed the vulnerability and provided an official fix in Azure Kinect SDK version 1.4.2. Security experts like VictorV (Tang Tianwen) with Kunlun Lab have been acknowledged for their contributions to identifying and disclosing this vulnerability.For more information, including the official security update, refer to Microsoft’s security update guide.
CVE-2024-6387
CVE-2024-6387, also known as the “Regresshion” vulnerability, is a significant security flaw discovered in OpenSSH’s server component (sshd). This vulnerability is characterized by a race condition that leads to unsafe signal handling by sshd. The issue was first identified as a regression of an earlier vulnerability, CVE-2006-5051. This race condition occurs when an unauthenticated remote attacker attempts to authenticate within a specific time frame and triggers unsafe signal handling in sshd. The vulnerability is rated with a CVSS 3.x base score of 8.1, categorized as “High” severity. The CVSS vector string for this vulnerability is CVSS:3.1/AV/AC/PR/UI/S/C/I/A, indicating that it is exploitable over a network with high impact on confidentiality, integrity, and availability. The flaw stems from a race condition that affects how sshd processes certain signals. In this scenario, if an unauthenticated attacker interacts with the sshd service, they might exploit the race condition to cause sshd to handle signals in an unsafe manner. This can result in unauthorized remote code execution. The vulnerability is a regression from an earlier fixed issue, CVE-2006-5051, which had previously addressed similar problems with signal handling in sshd. The specific nature of the regression means that while the vulnerability was known and addressed before, it has reappeared in a different form. The vulnerability impacts various configurations of OpenSSH across multiple operating systems. Notable affected configurations include versions of OpenSSH from 8.6 up to but not including 9.8, and it affects systems across different distributions such as Red Hat, Debian, Ubuntu, FreeBSD, NetBSD, and others. The issue is not confined to a single operating system but spans across several, indicating a broad potential impact. To mitigate CVE-2024-6387, users are advised to update their OpenSSH installations to the latest versions that include patches addressing this vulnerability. The OpenSSH development team and various operating system vendors have released patches and updates to rectify the issue. For detailed guidance, affected users should refer to advisories from their specific operating system vendors, such as Red Hat, Ubuntu, FreeBSD, and others. Additionally, resources such as the OpenSSH release notes and security advisories provide further instructions for mitigating the risk.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
A Spanish-speaking cybercrime group named GXC Team has been observed elevating the standard of phishing attacks by bundling phishing kits with malicious Android applications. This innovative approach has taken malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity firm Group-IB has been tracking this e-crime actor since January 2023, describing their solution as a “sophisticated AI-powered phishing-as-a-service platform” targeting users of more than 36 Spanish banks, various governmental bodies, and 30 institutions globally.
The phishing kit alone is priced between $150 and $900 per month. However, the bundle that includes both the phishing kit and Android malware is available for approximately $500 per month. This subscription model has widened their target base, including users from Spanish financial institutions, governmental services, e-commerce platforms, banks, and cryptocurrency exchanges in countries like the United States, United Kingdom, Slovakia, and Brazil. To date, 288 phishing domains linked to this campaign have been identified.
Combining Phishing Kits and Android Malware
What sets the GXC Team apart is their innovative method of combining phishing kits with SMS OTP stealer malware, deviating from traditional phishing attack scenarios. Instead of simply using bogus web pages to capture credentials, victims are persuaded to download a malicious Android banking app. This app, once installed, requests permissions to become the default SMS app, enabling it to intercept OTPs and other messages, which are then exfiltrated to a Telegram bot controlled by the attackers.
Security researchers Anton Ushakov and Martijn van den Berk highlighted this novel approach in their report, noting that the malicious app opens genuine bank websites in WebView, allowing users to interact normally. However, when an OTP is requested, the malware silently intercepts and forwards the SMS messages containing the OTP codes to the attackers’ Telegram chat. This mechanism enhances the credibility of the scam, making it more convincing for victims.
AI-Powered PaaS
Among the services advertised by the GXC Team on a dedicated Telegram channel are AI-powered voice calling tools. These tools enable their customers to generate voice calls based on a series of prompts from the phishing kit, making the scams even more convincing. These calls typically impersonate bank representatives, instructing targets to provide 2FA codes, install malicious apps, or perform other actions.
The use of AI in cybercrime is not new, but its integration into phishing-as-a-service platforms is a recent development. AI-powered voice cloning can mimic human speech with “uncanny precision,” facilitating authentic-sounding phishing (vishing) schemes that aid in initial access, privilege escalation, and lateral movement within networks. This technological advancement enables threat actors to impersonate executives, colleagues, or IT support personnel, manipulating victims into revealing confidential information or taking harmful actions.
AI-powered PaaS platforms utilize machine learning algorithms to generate realistic and personalized phishing emails, which can mimic legitimate communications from trusted sources. These emails are tailored based on data gathered from social media profiles, email addresses, and other publicly available information, increasing the likelihood of deceiving the recipient. By automating the creation and distribution of phishing content, AI-powered PaaS significantly lowers the barrier to entry for cybercriminals, enabling them to launch large-scale phishing campaigns with minimal effort.
The Mechanics of AI-Powered PaaS
AI-powered PaaS platforms incorporate several advanced technologies to enhance their phishing capabilities:
Natural Language Processing (NLP): NLP algorithms analyze and generate human-like text, creating convincing phishing emails that are contextually relevant and grammatically correct. This makes it harder for recipients to distinguish phishing emails from legitimate communications.
Machine Learning (ML): ML models analyze past phishing campaigns to identify patterns and strategies that are most successful. These insights are used to continuously refine and improve the effectiveness of new phishing attacks.
Automation: AI-powered PaaS platforms automate the entire phishing process, from email generation and distribution to data collection and analysis. This allows cybercriminals to launch and manage multiple campaigns simultaneously, increasing their reach and impact.
Deep Learning: Deep learning techniques are employed to create deepfake videos and audio, which can be used in spear-phishing attacks. These realistic forgeries can impersonate trusted individuals, making social engineering attacks more convincing and effective.
AI is also used to generate vast amounts of unique content for phishing websites, automating the creation process and making it harder for security measures to detect and block these sites. The automation of content generation using large language models (LLMs) allows threat actors to create phishing content more efficiently and at a scale that would be impossible for humans to achieve.
Advanced Phishing Techniques and AI Integration
The rise of AI in phishing campaigns has introduced more sophisticated attack vectors. AI-driven phishing kits can create personalized, highly convincing lures that are difficult for both individuals and automated systems to detect. These kits can leverage AI to analyze social media profiles and other publicly available information to craft tailored phishing emails, increasing the likelihood of successful attacks.
Furthermore, AI enhances the adaptability of phishing campaigns. Attackers can use AI to monitor the effectiveness of their phishing attempts in real time, adjusting their strategies to improve success rates. This dynamic approach makes traditional defense mechanisms less effective, as the phishing tactics continually evolve.
AI also facilitates the deployment of deepfake technology in phishing attacks. Deepfakes, which are hyper-realistic digital forgeries created using AI, can be used to impersonate trusted individuals in voice or video communications. This can lead to more convincing social engineering attacks, where victims are tricked into performing actions they would not ordinarily undertake, such as transferring funds or disclosing sensitive information.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The Federal Bureau of Investigation (FBI) has announced the successful execution of Operation Endgame, a groundbreaking multinational cyber operation aimed at dismantling a sophisticated network of cybercriminals. This unprecedented initiative involved coordinated efforts from law enforcement agencies across the United States, Denmark, France, Germany, the Netherlands, the United Kingdom, and other countries, with crucial support from Europol and Eurojust.
Key Highlights of Operation Endgame
Operation Endgame marked a significant milestone in the fight against global cybercrime. Beginning on May 28, 2024, this first-of-its-kind operation saw law enforcement agencies in a dozen countries execute searches, make arrests, conduct interviews, and take down or disrupt more than 100 servers involved in various malware operations. The operation specifically targeted the infrastructure of several notorious malware groups, including IcedID, Smokeloader, Pikabot, and Bumblebee. These groups had been responsible for infecting millions of computers worldwide and causing hundreds of millions of dollars in damages.
FBI Director Christopher Wray emphasized the importance of this operation, stating, “Operation Endgame demonstrates the FBI’s continued fight against cybercrime and malware-as-a-service models. Through joint and sequenced actions, we were able to disrupt the criminal infrastructure of multiple malware services that had been causing extensive damage globally.”
The Scope and Impact of the Operation
Operation Endgame involved a series of synchronized actions that spanned multiple countries. Law enforcement agencies in Ukraine, Portugal, Romania, Lithuania, Bulgaria, and Switzerland played pivotal roles in supporting the operation by conducting searches, interviewing or arresting suspects, and seizing or taking down servers.
The malware groups targeted by this operation were responsible for deploying “droppers” and “loaders” to gain unauthorized access to victims’ computers. These tools were used to drop ransomware or other malicious software designed to steal personal and financial information. Among the notable impacts of these malware attacks was the infection of a hospital network in the United States, which not only resulted in significant financial losses but also posed a serious risk to patient care by compromising critical systems.
Collaborative Efforts and Global Reach
The success of Operation Endgame was attributed to the extensive collaboration between various law enforcement agencies and cybersecurity experts. Key participants included the FBI Charlotte, FBI Indianapolis, FBI Jacksonville, FBI Los Angeles, and FBI Cleveland Field Offices, as well as international partners such as the Defense Criminal Investigative Service, the United States Secret Service, the Danish National Police National Special Crime Unit, the French National Police and National Gendarmerie, Germany’s Federal Criminal Police, the Dutch National Police National Hi-Tech Crime Unit, and the United Kingdom’s National Crime Agency.
Robert M. DeWitt, the FBI Charlotte special agent in charge, highlighted the critical role played by FBI employees from field offices across the country, noting, “The results of Operation Endgame send a strong message to cybercriminals around the world. The FBI’s expertise in science and technology, combined with the determination to attack cybercriminal networks, has been instrumental in this massive international takedown.”
Conclusion
Operation Endgame represents a significant victory in the global effort to combat cybercrime. By dismantling the infrastructure of several major malware groups, this operation has not only disrupted ongoing criminal activities but also sent a clear message about the capabilities and resolve of international law enforcement agencies. As cyber threats continue to evolve, the FBI and its partners remain committed to protecting critical infrastructure and pursuing justice against those who seek to exploit technology for malicious purposes.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The Management Information Base (MIB) is a critical component of network management, particularly within systems that utilize the Simple Network Management Protocol (SNMP). A MIB serves as a hierarchical database that defines the information SNMP management systems can request from agents. This structured data is essential for monitoring and managing networked devices efficiently.
How MIB Works
A Management Information Base (MIB) functions as a collection of manageable network objects, representing both physical and logical components of a network that are SNMP-enabled. These components include a variety of devices such as computers, hubs, routers, switches, and networking software. Each object within a MIB corresponds to specific configuration parameters or statuses of these devices, like software versions, IP addresses, port numbers, and available storage.
The MIB hierarchy allows each MIB object to be uniquely identified using a standardized dotted naming system. For example, the root of the LAN Manager MIB II can be represented as:
This hierarchical structure is tree-like, encompassing branches for both public networking standards and proprietary implementations by various vendors. These vendors can apply to the Internet Assigned Numbers Authority (IANA) to reserve specific MIB numbers for their products. The LAN Manager MIB II, for instance, includes over 90 objects that SNMP management systems use to gather information about network users, sessions, shares, and more.
By using SNMP commands, administrators can retrieve or modify the values of MIB objects. This capability enhances the manageability of network resources, allowing for real-time monitoring and adjustments.
Example MIBs in Microsoft’s Implementation
Microsoft’s SNMP implementation in Windows NT and Windows 2000 includes several important MIBs, each serving different aspects of network management:
Internet MIB II: This MIB provides objects for analyzing the configuration of TCP/IP networks, offering insights into network performance and configuration.
LAN Manager MIB II: This MIB contains objects related to the management of sessions, shares, and users associated with LAN Manager software, including Windows NT and Windows 2000.
DHCP MIB: This MIB is used for monitoring Dynamic Host Configuration Protocol (DHCP) statistics, providing vital information about IP address allocation and usage in Windows NT and Windows 2000 environments.
WINS MIB: This MIB monitors Windows Internet Name Service (WINS) statistics, helping manage the resolution of NetBIOS names to IP addresses in Windows NT and Windows 2000.
These MIBs, along with extensions for other SNMP-manageable devices from vendors like Apple, Cisco, and Novell, ensure comprehensive network management capabilities.
Conclusion
The Management Information Base (MIB) is a fundamental element of SNMP-based network management systems. By providing a structured and hierarchical database of network objects, MIBs enable detailed monitoring and management of various network components. This ensures that network administrators have the tools they need to maintain optimal network performance and security.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In recent developments, a significant vulnerability has been identified in ARM’s Memory Tagging Extension (MTE), a security feature designed to mitigate memory corruption issues in the ARMv8.5-A architecture. This vulnerability exploits speculative execution, a performance optimization feature in modern CPUs, to bypass MTE’s protections and leak sensitive information.
Understanding Memory Tagging Execution (MTE)
MTE aims to prevent memory corruption by tagging memory locations and validating these tags during access. Each 16-byte memory block is assigned a 4-bit tag, and the CPU checks if the tag associated with a memory address matches the tag embedded in the pointer during access. If the tags do not match, the CPU raises a fault, thus preventing potential memory corruption. MTE operates in three modes: synchronous, asynchronous, and asymmetric. Synchronous mode raises faults immediately during memory access, asynchronous mode raises faults during context switches to prioritize performance, and asymmetric mode combines features of both for a balance between security and performance.
Speculative Execution
Speculative execution allows CPUs to predict and execute future instructions to enhance performance. This feature, while beneficial for speed, can be manipulated to access and leak sensitive information by bypassing security checks that are usually enforced during regular execution. Two specific gadgets, termed TIKTAG-v1 and TIKTAG-v2, have been identified to exploit MTE through speculative execution.
Exploiting MTE with Speculative Execution
Two specific gadgets, termed TIKTAG-v1 and TIKTAG-v2, have been identified to exploit MTE through speculative execution.
TIKTAG-v1 Gadget
TIKTAG-v1 exploits branch prediction and data prefetching. It relies on speculative execution to access memory based on predicted branch outcomes, which affects the cache state. The gadget repeatedly dereferences a guessed pointer, causing speculative tag checks. Differences in cache state between tag match and mismatch reveal the correct tag, as speculative execution does not immediately enforce tag checks, allowing an attacker to infer the tag from observed cache behavior. In real-world applications, such as Google Chrome and the Linux kernel, TIKTAG-v1 can leak MTE tags with high accuracy within seconds, enabling attackers to exploit memory corruption vulnerabilities effectively.
TIKTAG-v2 Gadget
TIKTAG-v2 exploits store-to-load forwarding. When speculative execution performs a store followed by a load operation, the CPU may forward data without completing the store operation if the tags match. By using store and load instructions to check for tag matches, differences in cache hits and misses can indicate tag correctness. This method relies on the CPU’s behavior to forward data during speculative execution paths. Demonstrated in the V8 JavaScript engine and Chromium, TIKTAG-v2 can leak MTE tags effectively, showing how speculative execution can be used to bypass security mechanisms.
Implications for ARM MTE Security
The vulnerability reveals that speculative execution can undermine MTE’s intended protections by leaking tags and allowing unauthorized memory access. This bypasses the fault-raising mechanism of MTE, enabling attackers to execute malicious code or manipulate data undetected. In Google Chrome’s V8 engine, TIKTAG-v2 achieved nearly 100% success in leaking MTE tags, demonstrating the feasibility of such attacks in high-profile software. A TIKTAG-v1 gadget found in the Linux kernel’s snd_timer_user_read() showed potential for leaking tags in kernel space, highlighting the vulnerability’s impact on core system components.
Mitigation Strategies
While MTE is a robust mechanism against traditional memory corruption, the discovery of these speculative execution vulnerabilities calls for additional security measures. Potential mitigations include inserting speculative barriers to prevent speculative execution from accessing sensitive data, adding non-essential instructions to delay speculative execution paths, and redesigning CPUs to handle tag checks consistently, regardless of speculative execution states. These findings emphasize the need for continuous advancements in security protocols and hardware design to counteract sophisticated exploitation techniques leveraging speculative execution.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.